A password policy designed for federal agencies must be secure, right? Surprisingly, that hasn’t been the case according to the National Institute of Standards and Technology (NIST). On the hook for the password best practices that we still use today — the combination of letters, capitalizations, and numbers — NIST admits that the existing guidelines were misguided.